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(57) ABSTRACT 

A method and system arc provided for authenticating users 
in a client-server system in a way that allows a user to 
sign-on to numerous servers using a different password for 
each server, while still only having to remember a single 
master password. According to one aspect of the invention, 
a client generates a first set of server-specific authentication 
information for a first server based on master authentication 
information stored at the client and data associated with the 
first server. The client then supplies the first server-specific 
authentication information to the first server to access 
restricted resources controlled by the first server. The client 
generates a second set of second server-specific authentica- 
tion information for a second server based on the same 
master authentication information. However, to generate the 
server-specific authentication information for the second 
server, the master resource information is combined with 
data associated with the second server. The client supplies 
the second server-specific authentication information to the 
second server to access restricted resources controlled by the 
second server. Both the first and the second server-specific 
authentication information are different from the master 
authentication information, and the first server-specific 
authentication information is different from the second . 
server-specific authentication information. Thus, the admin- 
istrators of the various servers do not have information that 
would allow them to access the user's account at the other 
servers. 

42 Claims, 2 Drawing Sheets 
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SINGLE SIGN-ON FOR A NETWORK ous on-line service providers. Each separately-controlled 

SYSTEM THAT INCLUDES MULTIPLE web server requests a user to provide authorization infor- 

SEPARATELY-CONTROLLED RESTRICTED mation (e.g. a userid/password combination) before allow- 

ACCESS RESOURCES ing access to its products or services. Hence, if a user is 

5 subscribed with two separately-controlled on-line services, 

such as a news provider and a financial services provider, 

FIELD OF THE INVENTION each service provider will request a userid/password com- 

m . , „ bination before allowing the user access to its services. 

The present invention relates to networked computer ~ . , , „ , , 

. vc it 4 ■ This creates a problem for users because they must recall 

systems, and more specifically to user authentication in a in - , / , , t :.\ \ t . 4 , 

, . . .i . ♦ i j i * i * it a the password for each separately-controlled restricted 

network system that includes multiple separately-controlled ™_ . . . ». 

t ■ t i resource. That is, when any given user subscribes to a 

restricted access resources. u . , c ' • .? * u 

multitude of such services, the user must remember a 

BACKGROUND OF THE INVENTION multitude of passwords. Consequently, users have adopted 

various techniques to avoid having to retain a multitude of 

The World Wide Web includes a network of servers on the 1 5 distinct passwords in their memory. 

Internet, each of which is associated with one or more One approach to avoid memorizing multiple passwords is 

HTML (Hypertext Markup Language) pages. The HTML f or users to retain a written copy of their authorization 

pages associated with a server provide information and information on or near their computer terminals. Thus, when 

hypertext links to other documents on that and (usually) as k e d for their userid/password combination, they can sim- 

other servers. Servers communicate with clients by using the 20 ply read it rather lnan recalI it from mernor y. However, this 

Hypertext Transfer Protocol (HTTP). The servers listen for approach jeopardizes security because third parties may 

requests from clients for their HTML pages, and are there- easily obtain the authorization information from the written 

fore often referred to as "listeners". no tes, and thereby gain unauthorized access to all of the 

Users of the World Wide Web use a client program, service providers listed, 

referred to as a browser, to request, decode and display 25 in another approach to avoid memorizing multiple 

information from listeners. When the user of a browser passwords, users use the same password for all of their 

selects a link on an HTML page, the browser that is service providers. Again, this approach jeopardizes security 

displaying the page sends a request over the Internet to the because an employee of one service provider may try to use 

listener associated with the Universal Resource Locator a user's password for unauthorized access to restricted 

(URL) specified in the link. In response to the request, the 30 resources controlled by another service provider. For 

listener transmits the requested information to the browser example, a user may use the password "mypass" to access 

that issued the request. The browser receives the a site for reading sporting news, and also to access a 

information, presents the received information to the user, separately-controlled site for managing the user's bank 

and awaits the next user request. account. An employee of the provider of the sporting news 

Because servers on the Internet can be accessed by a 35 site knows the user's password for the sporting news site, 

multitude of unidentifiable clients, several protection and may attempt to access the user's bank account using the 

schemes have been developed to protect against unautho- same password. Because the user uses the same password 

rized access to restricted information. One approach used to for both services, the sporting news employee can break in 

prevent unauthorized access to restricted information is to 4Q to the user's bank account. 

require clients to provide certain authorization information Based on the foregoing, it is desirable to provide a way to 

before they can have access to information on a particular allow users to avoid having to memorize multiple passwords 

server. This authorization information typically consists of without jeopardizing security, 
such items as a userid/password combination, a particular IP 

address, specific domain name or other information that can ^ SUMMARY OF THE INVENTION 

identify a particular user and/or machine attempting to a method and system are provided for authenticating 

access information. users i D a client-server system in a way that allows a user to 

Of the various types of authorization information that may sign-on to numerous servers using a different password for 

be used to authenticate a user, the userid/password combi- each server, while still only having to remember a single 

nation is often favored because it is not tied to a particular 50 master password. 

machine or service provider. Thus, as long as users can According to one aspect of the invention, a client gener- 

remember their userids and passwords, they can gain access a t C s a first set of site-specific authentication information for 

to restricted sites from any machine connected to the Inter- a server based on master authentication information 

net. When the authorization information consists of a userid/ stored at the client and data associated with the first server, 

password combination, the user provides the userid/ 55 j^e client then supplies the first site-specific authentication 

password combination to the web server, in some manner, information to the first server to access restricted resources 

before the web server will deliver the restricted information controlled by the first server. The client generates a second 

to the user. set of second site-specific authentication information for a 

Once the user has submitted the authorization information second server based on the same master authentication 
to the server, the server determines whether the user is in fact go information. However, to generate the site-specific authen- 
authorized to access the restricted information. If the server tication information for the second server, the master 
determines that the user is authorized to access the restricted resource information is combined with data associated with 
information, then the restricted information is sent to the the second server. The client supplies the second site- 
user. Otherwise, the user is not allowed to access the specific authentication information to the second server to 
restricted information. 65 access restricted resources controlled by the second server. 

For any given user, authorization information is fre- Both the first and the second site-specific authentication 

quently required to access the restricted resources of numer- information are different from the master authentication 
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information, and the first site-specific authentication in for- described hereafter. According to one embodiment of the 

mation is different from the second site-specific authentica- invention, a single sign-on mechanism is provided in 

tion information. Thus, the administrators of the various response to processor 104 executing one or more sequences 

servers do not have information that would allow them to of one or more instructions contained in main memory 106. 

access the user's account at the other servers. 5 Such instructions may be read into main memory 106 from 

another computer- readable medium, such as storage device 

BRIEF DESCRIPTION OF THE DRAWINGS 110. Execution of the sequences of instructions contained in 

. . . . . , u c , main memory 106 causes processor 104 to perform the 

The present invention is illustrated by way of example, 4 *, , , f T t . v ,. 

, r , ■ c L process steps described herein. In alternative embodiments, 

and not by way of Imitation m the figures of the accom- \^^J M ^ may be used in place of or in combi- 

panymg drawings and in which like reference numerals refer 10 natkm ^ ^ m instructions t0 implement the inven . 

to similar elements and in which: tion embodiments of the ihvention are not limited to 

FIG. 1 is a block diagram of a computer system upon any specific combination of hardware circuitry and software, 

which an embodiment of the invention may be implemented; ^ term "computer-readable medium" as used herein 

anc * 35 refers to any medium that participates in providing instruc- 

FIG. 2 is a flowchart that illustrates steps for signing on tions to processor 104 for execution. Such a medium may 

to restricted sites according to an embodiment of the inven- take many forms, including but not limited to, non-volatile 

tion. media, volatile media, and transmission media. Non-volatile 

DETAILED DESCRIPTION OF THE medi > incl ^es. for example optical or magnetic disks, such 

PREFERRED EMBODIMENT 20 35 stora 8 e de ™ e 110 Volatlle J"^- lncludes 

memory, such as main memory 106. Transmission media 

A method and apparatus for single sign -on for a network includes coaxial cables, copper wire and fiber optics, includ- 

system that includes multiple separately controlled restricted ing the wires that comprise bus 102. Transmission media can 

access resources is described. In the following description, also take the form of acoustic or light waves, such as those 

for the purposes of explanation, numerous specific details 25 generated during radio-wave and infra-red data cbmmuni- 

are set forth in order to provide a thorough understanding of cations. 

the present invention. It will be apparent, however, to one Common forms of computer-readable media include, for 

skilled in the art that the present invention may be practiced example, a floppy disk, a flexible disk, hard disk, magnetic 

without these specific details. In other instances, well-known tape, or any other magnetic medium, a CD-ROM, any other 

structures and devices are shown in block diagram form in 3Q optical medium, punchcards, papertape, any other physical 

order to avoid unnecessarily obscuring the present inven- medium with patterns of holes, a RAM, a PROM, and 

tion. EPROM, a FLASH-EPROM, any other memory chip or 

cartridge, a carrier wave as described hereinafter, or any 
other medium from which a computer can read. 

FIG. 1 is a block diagram that illustrates a computer 35 Various forms of computer readable media may be 

system 100 upon which an embodiment of the invention involved in carrying one or more sequences of one or more 

may be implemented. Computer system 100 includes a bus instructions to processor 104 for execution. For example, the 

102 or other communication mechanism for communicating instructions may initially be carried on a magnetic disk of a 

information, and a processor 104 coupled with bus 102 for remote computer. The remote computer can load the instruc- 

processing information. Computer system 100 also includes 40 tions into its dynamic memory and send the instructions over 

a main memory 106, such as a random access memory a telephone line using a modem. A modem local to computer 

(RAM) or other dynamic storage device, coupled to bus 102 system 100 can receive the data on the telephone line and 

for storing information and instructions to be executed by use an infra-red transmitter to convert the data to an infra-red 

processor 104. Main memory 106 also may be used for signal. An infra-red detector can receive the data carried in 

storing temporary variables or other intermediate informa- 45 the infra-red signal and appropriate circuitry can place the 

tion during execution of instructions to be executed by data on bus 102. Bus 102 carries the data to main memory 

processor 104. Computer system 100 further includes a read 106, from which processor 104 retrieves and executes the 

only memory (ROM) 108 or other static storage device instructions. The instructions received by main memory 106 

coupled to bus 102 for storing static information and instruc- may optionally be stored on storage device 110 either before 

tions for processor 104. A storage device 110, such as a 50 or after execution by processor 104. 

magnetic disk or optical disk, is provided and coupled to bus Computer system 100 also includes a communication 

102 for storing information and instructions. interface 118 coupled to bus 102. Communication interface 

Computer system 100 may be coupled via bus 102 to a 118 provides a two-way data communication coupling to a 

display 112, such as a cathode ray tube (CRT), for displaying network link 120 that is connected to a local network 122. 

information to a computer user. An input device 114, includ- 55 For example, communication interface 118 may be an inte- 

ing alphanumeric and other keys, is coupled to bus 102 for grated services digital network (ISDN) card or a modem to 

communicating information and command selections to provide a data communication connection to a correspond- 

processor 104. Another type of user input device is cursor ing type of telephone line. As another example, communi- 

control 116, such as a mouse, a trackball, or cursor direction cation interface U8'may be a local area network (LAN) card 

keys for communicating direction information and com- 60 to provide a data communication connection to a compatible 

mand selections to processor 104 and for controlling cursor LAN. Wireless links may also be implemented. In any such 

movement on display 112. This input device typically has implementation, communication interface 118 sends and 

two degrees of freedom in two axes, a first axis (e.g., x) and receives electrical, electromagnetic or optical signals that 

a second axis (e.g., y), that allows the device to specify carry digital data streams representing various types of 

positions in a plane. 65 information. 

The invention is related to the use of computer system 100 Network link 120 typically provides data communication 

for signing on to restricted services using the techniques through one or more networks to other data devices. For 
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example, network link 120 may provide a connection side module does not detect the existence of a similar 

through local network 122 to a host computer 124 or to data client-side module, then the client-side module requests the 

equipment operated by an Internet Service Provider (ISP) master password from the user, and sends a site-specific 

126, ISP 126 in turn provides data communication services password to a server based on the master password and 

through the world wide packet data communication network 5 site -specific information. 

now commonly referred to as the "Internet" 128. Local EXEMPLARY SIGN-ON PROCESS 

network 122 and Internet 128 both use electrical, electro- „ T „ _ . a . 4 .„ t , c • . 

. , . , t , , j- i j . . FIG. 2 is a now chart that illustrates steps for signing on 

magnetic or optical signals that carry digital data streams. 4 ... LJ - r f ■ 

™ ° . t u .u * * i a *u • i to restricted sites according to an embodiment of the mven- 

The signals through the various networks and the signals on „ c B . . , . . 

i i- i ^^/i j*u u • *• * * J no tion. For the purpose of explanation, the sign-on techniques 

network link 120 and through communication mterf ace 118, io ... , , *, . ... /TT ™, u « r j 

... i i . * . r * , will be described herein in the context of the World Wide 

which carry the digital data to and from computer system „, , T tU . t ^ , . 

1An i r r • * *u Web. ^ n tnis context, a browser executing on a client 

100, are exemplary forms of carrier waves transporting the u • * • 

information requests information from web servers in response to input 

from a user. The requests typically include Universal 

Computer system 100 can send messages and receive Resource Locators (URLs), which identify the resources that 

data, including program code, through the network(s), net- 15 tne user desires to access 

work link 120 and communication interface 118. In the h sh()uld be nQted> howeverj mat me m invemion is 

Internet example, a server 130 might transmit a requested nQt restricted tQ ticular environment. Rather, it may 

code for an application program through Internet 128 ISP be { d m environment in which a user must be 

126, local network 122 and communication interface 118. In authenticated b raore than one mechanism) module , XTWCT 

accordance with the invention, one such downloaded apph- 20 ^ ^ ^ .^^ . & ticular[ valuabk when the 

cation provides for a single sign-on mechanism as described mechanisms , moduleSj servcrs or systems with which the 

erein * user must be authenticated are not controlled by the same 

The received code may be executed by processor 104 as source, 

it is received, and/or stored in storage device 110, or other Referring to FIG. 2, at step 200 a user sends a request to 

non-volatile storage for later execution. In this manner, access a restricted web site. This step may be accomplished, 

computer system 100 may obtain application code in the for example, by the user requesting delivery to the client (i.e. 

form of a earner wave. a browser) of a « log on » page for lhe restricted site. The user 

FUNCTIONAL OVERVIEW m2i ^ * ssue sucn a rec 3 uest selecting a hyperlink that resides 

30 on a previously retrieved web page, by typing the URL of 

A single sign-on mechanism is provided which allows a the restricted web site into a text box on the browser, or by 

user to provide different passwords to different sites while us j n g any one of various other site selection mechanisms, 

still only having to remember a single "master'' password. In At step 2 02, the web server that controls the restricted 

general, the user enters the master password into a client- web site sends a sigDK)n module t0 the browser that 

side module that is responsible for providing passwords to 35 requested access to the web site. According to one embodi- 

restneted sites. When a restricted site requests a password, ment of the invention> the s i ga . 0 n module is an active 

the chent-side module generates a site-specific password content comp onent, such as a JAVA applet, an ActiveX 

that is derived from (1) the master password and (2) site- contr ol, or a browser "plug-in". For the purpose of 

specific information. According to one embodiment, the explanation, it shall be assumed that the sign-on module is 

techniques used to derive the site-specific password are such 4Q a JAV a applet that is embedded in the log-on page, and that 

that the master password cannot be determined based on the ^ transmitted to the browser in the form of JAVA byte code, 

site-specific password. A j AV a virtual machine in the browser executes the JAVA 

After deriving the site-specific password, the client-side byte code upon receiving it. The remaining steps 204, 206, 

module provides the site -specific password to the restricted 208, 210, 212 and 214 are performed by the sign -on applet 

site to authenticate the user at the restricted site. This process 45 as it executes within the JAVA virtual machine on the client, 

may be repeated at any number or restricted sites, where At step 2 04, the sign-on applet determines whether there 

each site is provided a different site-specific password. The ^ another instance of the sign-on applet already running on 

site-specific passwords that are supplied to different sites are tne cl i ent . if another instance of the sign-on applet is not 

different because they are derived, in part, from different already running on the client, then control passes to step 208 

site-specific information. Because different site-specific 50 where the sign-on applet requests the master password from 

passwords are provided to different restricted sites, the the user. If, on the other hand, another instance of the sign-on 

administrators of any given restricted site will not know or app [ et ^ already running on the client, then the user would 

be able to infer a user's password at other restricted sites. have already entered the master password into the 

According to one embodiment, not only does a user have previously-existing sign -on applet, and control passes to 

to only remember a single password, but the user need only 5S step 206. At step 206, the newly-arrived sign-on applet 

provide the master password once per session. After pro- obtains the master password from the previously-existing 

viding the master password, the authentication process is sign-on applet. 

performed at each restricted site by the client-side module in At step 210, the sign-on applet obtains site-specific data, 

a manner that is transparent to the user. The site-specific data may be any data that specifically 

According to one aspect of the invention, the client-side 60 identifies the site to which the user is seeking access. For 

module may itself be sent to the client from a server. If a example, site-specific data may be the URL of the web site 

client-side module thus transmitted detects the existence of that the user is attempting to access. Alternatively, the 

a similar client-side module at the client, then the newly- site -specific data may the IP address of the site the user is 

arrived client-side module causes the first-arrived client -side attempting to access, or a combination of the URL and the 

module to send a site-specific password to a server based on 65 IP address of the site. Various other forms of site-specific 

the master password already entered by the user in the data may be used. Consequently, the present invention is not 

first-arrived client module. On the other hand, if the client- limited to any particular type of site-specific data. 
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According to one embodiment, the site-specific data is 
encoded in the CodeBase of the applet. In such an 
embodiment, the site-specific data may be obtained in step 
210 by extracting the CodeBase of the applet. 

At step 212, the applet derives a site-specific password 
based on the master password and the site-specific data. This 
step may be represented by the formula: 

SP=H[PW+CB] 

where SP is the site-specific password, PW is the master 
password, CB is the CodeBase of the applet, H[ ] is a secure, 
one-way hash function, and represents an operation that 
combines PW and CB. 

According to one embodiment, the combining operation 
used to combine PW and CB prior to; applying the hash 
function H[ ] is a simple binary concatenation operation, and 
the hash function H[ ] is the Secure Hash Function SI1A-1 
described in Federal Information Processing Standards Pub- 
lication 180-1 issued by the National Institute of Standards 
and Technology. However, various hash functions and com- 
bining operations may alternatively be used by the applet, 
arid the present invention is not limited to any particular type 
of hash function or combining operation. For example, H[ ] 
may alternatively be the MD5 hash function which is 
described in detail in B. Schneier, "Applied Cryptography" 
(New York: John Wiley & Sons, Inc., 2d ed. 1996), at pp. 
429^31 and pp. 436-441. 

At step 214, the site-specific password generated at step 
212 is transmitted to the web server that controls the 
restricted access web site. The process of submitting the 
password may be accomplished, for example, by the applet 
(1) constructing a new URL that encodes the site-specific 
password, and (2) causing the browser to navigate to the new 
URL. The web server that controls the restricted access web 
site will then compare the site-specific password against its 
user base, and determine whether the user is allowed to 
access the restricted site. Assuming that the user has per- 
mission to access the restricted access web site, the web 
server will respond by supplying a restricted resource. For 
example, if the restricted resource is a web page, the web 
server will respond by sending the restricted web page to the 
browser. 

The steps illustrated in FIG, 2 are repeated every time a 
user attempts to access a restricted web site. After accessing 
the first restricted web site in a session, a copy of the applet 
will be present on the client. Consequently, step 206, in 
which the user is prompted for the master password, will not 
be repeated when the user attempts to access subsequent 
restricted web sites. Thus, the sign-on process executed for 
those subsequent servers will be transparent to the user. 

THE SIGN-ON MODULE 

In the embodiment discussed above with reference to 
FIG. 2, the sign-on module is a JAVA applet that is sent to 
the browser every time the user attempts to log on to a 
restricted site. According to one embodiment of the 
invention, the sign-on module has two components: a "resi- 
dent" component and a "transitory" component. The resi- 
dent component of the sign-on module remains in the 
browser even after the user navigates to a different web site 
than the site that transmitted the sign-on module. 

The transitory component is a small log-in window that 
prompts the user for a username and password. When the 
user enters a master username/password combination into 
the log-in window, the transitory component generates the 
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site-specific password based on the master username/ 
password and site-specific data encoded in the CodeBase of 
the sign-on module. After generating the site-specific 
password, the sign-on module sends the site-specific pass- 

5 word to the web server. In addition, the transitory compo- 
nent sends a copy of the master username/password com- 
bination to the resident component of the sign-on module. 
The resident component of the sign-on module stores the 
username/password in the client's memory. 

10 When the user navigates to another restricted site, the web 
server that controls the new site transmits another instance 
of the sign-on module to the user's browser. The second 
sign-on module differs from the first sign-on module in that 
its CodeBase encodes site-specific site for the second 

15 restricted site. Upon detecting the existence of the resident 
component of a previously delivered instance of the sign-on 
module, the second sign-on module does not present the user 
with a log-on window. Rather, the second sign-on module 
retrieves the master username/password from the pre- 

20 existing resident component. The second sign-on module 
then proceeds to generate a site-specific password for the 
second site, and transparently sign the user on to the second 
site. 

To ensure security, the sign-on modules are "signed", 
25 according to one embodiment of the invention. That is, they 
encode a signature that identifies the source (i.e. developer) 
of the sign-on module. If the sign-on module delivered to the 
user's browser is not from a source trusted by the user, then 
the user can prevent the sign-on module from executing, or 
30 may simply refuse to supply the master username/password 
information. Similarly, a pre-existing resident component of 
the sign-on module will not deliver the master username/ 
password information to a subsequently arriving sign-on 
module unless the subsequently arriving sign-on module's 
35 signature identifies a trusted source. According to one 
embodiment, the sign-on modules used by various 
separately-controlled restricted sites will be from the same 
source, and those sign-on modules will only trust other 
sign-on modules from the same source. 

40 

According to an alternative embodiment, the sign-on 
modules used by various separately-controlled restricted 
sites may be from different sources, may implement different 
hash functions, and may be implemented using different 

45 forms of active content. However, they may be configured to 
supply the master authentication information to each other 
upon the sign-on module that is storing the master authen- 
tication information verifying that the sign-on module that 
requires the master authentication information is from a 

5Q trusted source. 

In the foregoing specification, the invention has been 
described with reference to specific embodiments thereof It 
will, however, be evident that various modifications and 
changes may be made thereto without departing from the 

55 broader spirit and scope of the invention. The specification 
and drawings are, accordingly, to be regarded in an illus- 
trative rather than a restrictive sense. 
What is claimed is: 

1. A method for authenticating users in a client-server 
60 system, the method comprising the steps of: 

a client generating first server-specific authentication 
information for a first server based on master authen- 
tication information stored at said client and data 
associated with said first server; 
65 said client supplying said first server-specific authentica- 
tion information to said first server to access restricted 
resources controlled by said first server; and 
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wherein said first server-specific authentication informa- 
tion is different from said master authentication infor- 
mation. 

2. The method of claim 1 further comprising the steps of: 
said client generating second server-specific authentica- 
tion information for said second server based on said 
master authentication information and data associated 
with said second server; and 

said client supplying said second server-specific authen- 
tication information to said second server to access 
restricted resources controlled by said second server; 

wherein said second server-specific authentication infor- 
mation is different from said master authentication 
information; and 

wherein said first server-specific authentication informa- 
tion is different from said second server-specific 
authentication information. 

3. The method of claim 2 further comprising the steps of: 
said client receiving a first request from said first server 

for said first server-specific authentication information; 

said client requesting a user to supply said master authen- 
tication information in response to said first request; 

said client storing said authentication information in 
response to receiving said master authentication infor- 
mation from said user; 

said client receiving a second request from said second 
server for said second server-specific authentication 
information; and 

said client performing the following steps without again 
requesting said user to supply said master authentica- 
tion information: 

generating said second server-specific authentication 

information; and 
supplying said second server-specific authentication 

information to said second server. 

4. The method of claim 2 further comprising the steps of: 
said client receiving a first client-side sign-on module 

from said first server; 
wherein said first client-side sign-on module performs the 
steps of: 

generating said first server-specific authentication 

information for said first server; and 
supplying said first server-specific authentication infor- 
mation to said first server; 
said client receiving a second client-side sign-on module 

from said second server; 
wherein said second client-side sign-on module performs 
the steps of: 

generating said second server-specific authentication 
information for said second server; and 

supplying said second server-specific authentication 
information to said second server. 

5. The method of claim 4 further comprising the steps of: 
said first client-side sign-on module requesting master 

authentication information from a user; 
said first client-side sign-on module storing said master 
authentication information in memory on said client in 
response to receiving said master authentication infor- 
mation from said user. 

6. The method of claim 5 further comprising the steps of: 
said second client-side sign-on module detecting said first 

client-side sign-on module in said client; and 
said second client-side sign-on module requesting said 
master authentication information from said first client- 
side sign-on module. 
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7. The method of claim 6 further comprising the steps of: 
the first client-side sign-on module responding to said 

second client-side sign-on module by determining 
whether a signature associated with said second client- 
side sign-on module indicates that said second client- 
side sign-on module is from a trusted source; 
if said signature associated with said second client-side 
sign-on module indicates that said second client-side 
sign-on module is from a trusted source, then said first 
client-side sign-on module supplying said second 
client-side sign-on module with said master authenti- 
cation information. 

8. The method of claim 1 further comprising the step of 
requesting a user to supply said master authentication infor- 
mation to said client in response to said first server request- 
ing said first server-specific authentication information from 
said client. 

9. The method of claim 1 further comprising the steps of: 
said client responding to a request from said first server 

for said first server-specific information by determining 
whether the client currently stores master authentica- 
tion information; 

if said client determines that said client currently stores 
master authentication information, then said client per- 
forming the step of generating said first server-specific 
authentication information without requesting said 
master authentication information from a user; and 

if said client determines that said client does not currently 
store master authentication information, then said client 
requesting said user to provide said master authentica- 
tion information, and storing said master authentication 
in response to receiving said master authentication 
information from said user. 

10. The method of claim 1 further comprising the steps of: 
said client receiving a first client-side sign-on module 

from a server; 

wherein said first client-side sign-on module performs the 
steps of: 

generating said first server-specific authentication 
information for said first server; and 

supplying said first server-specific authentication infor- 
mation to said first server. 

11. The method of claim 10 wherein the step of receiving 
said first client-side sign-on module is performed by receiv- 
ing said first client-side sign-on module from said first server 
in response to said client requesting restricted resources 
from said first server. 

12. The method of claim 10 wherein the step of receiving 
a first client-side sign-on module includes receiving an 
active content module, wherein the active content module 
includes one or more of a plug-in module, a JAVA applet, 
and an ActiveX component. 

13. The method of claim 10 wherein the first client-side 
sign-on module performs the step of generating said first 
server-specific authentication information based on data 
associated with said first site after extracting said data 
associated with said first server from the CodeBase of said 
first client-side sign-on module. 

14. The method of claim 1 wherein the step of said client 
storing master authentication information includes the step 
of said client storing one or more of a usemame, an IP 
address, and a master password. 

15. The method of claim 1 wherein the step of generating 
said first server-specific authentication information includes 
generating said first server-specific authentication informa- 
tion based upon a secure one-way hash function. 
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16. The method of claim 1 wherein said data associated 
with said first server includes one or more of a URL, an IP 
address, a software vendor number, and unique server iden- 
tifier. 

17. The method of claim 1 wherein: 5 
said first server is a web server; 

the web server requests said first server-specific authen- 
tication information in response to a browser on the 
client transmitting over the World Wide Web a URL 
that identifies a restricted web page controlled by the 10 
web server; and 

the step of supplying said first server-specific authentica- 
tion information is performed by transmitting the first 
server-specific authentication information to the web 
server. is 

18. A method for authenticating users in a client-server 
system, the method comprising the steps of: 

a server receiving a request for restricted resources from 
a client; 

said server transmitting to said client a client-side sign-on 20 
module which, when executed at said client, generates 
server-specific authentication information based on 
data associated with said server and master authenti- 
cation information stored in said client; and 

said server receiving said server-specific authentication 25 
information from said client-side sign-on module as 
said client-side sign-on module executes on said client. 

19. The method of claim 18 wherein the step of trans- 
mitting said client-side sign-on module includes transmit- 
ting a client-side module that has encoded in its CodeBase 30 
the data, associated with said server, that is used in combi- 
nation with said master authentication information to gen- 
erate said server-specific authentication information. 

20. The method of claim 18 wherein said sign-on module 

is configured to ask a user of said client for said master 35 
authentication information if no pre-existing sign-on module 
is detected on said client, and to ask said pre-existing 
sign-on module for said master authentication information if 
a pre-existing sign-on module is detected on said client. 

21. A computer-readable medium carrying one or more 40 
sequences of instructions for authenticating users in a client- 
server system, wherein execution of the one or more 
sequences of instructions by one or more processors causes 
the one or more processors to perform the steps of: 

a client generating first server-specific authentication 
information for a first server based on master authen- 
tication information stored at said client and data 
associated with said first server; 

said client supplying said first server-specific authentica- 5Q 
tion information to said first server to access restricted 
resources controlled by said first server; and 

wherein said first server-specific authentication informa- 
tion is different from said master authentication infor- 
mation, 

22. The computer-readable medium of claim 21 further 
comprising instructions for performing the steps of: 

said client generating second server-specific authentica- 
tion information for said second server based on said 
master authentication information and data associated 60 
with said second server; and 

said client supplying said second server-specific authen- 
tication information to said second server to access 
restricted resources controlled by said second server; 

wherein said second server-specific authentication in for- 65 
mation is different from said master authentication 
information; and 



45 



55 



wherein said first server-specific authentication informa- 
tion is different from said second server-specific 
authentication information. 

23. The computer-readable medium of claim 18 further 
comprising instructions for performing the step of request- 
ing a user to supply said master authentication information 
to said client in response to said first server requesting said 
first server-specific authentication information from said 
client. 

24. The computer-readable medium of claim 21 further 
comprising instructions for performing the steps of: 

said client responding to a request from said first server 
for said first server-specific information by determining 
whether the client currently stores master authentica- 
tion information; 

if said client determines that said client currently stores 
master authentication information, then said client per- 
forming the step of generating said first server-specific 
authentication information without requesting said 
master authentication information from a user; and 

if said client determines that said client does not currently 
store master authentication information, then said client 
requesting said user to provide said master authentica- 
tion information, and storing said master authentication 
in response to receiving said master authentication 
information from said user. 

25. The computer-readable medium of claim 24 further 
comprising instructions for performing the steps of: 

said client receiving a first client-side sign-on module 
from a server; 

wherein said first client-side sign-on module performs the 
steps of: 

generating said first server-specific authentication 
information for said first server; and 

supplying said first server-specific authentication infor- 
mation to said first server. 

26. The computer-readable medium of claim 25 wherein 
the step of receiving said first client-side sign-on module is 
performed by receiving said first client-side sign-on module 
from said first server in response to said client requesting 
restricted resources from said first server, 

27. The computer-readable medium of claim 24 wherein 
the step of said client storing master authentication infor- 
mation includes the step of said client storing one or more 
of a usemame, an IP address, and a master password. 

28. The computer-readable medium of claim 27 further 
comprising instructions for performing the steps of: 

said first client-side sign-on module requesting master 
authentication information from a user; 

said first client-side sign-on module storing said master 
authentication information in memory on said client in 
response to receiving said master authentication infor- 
mation from said user. 

29. The computer-readable medium of claim 28 wherein 
the step of receiving a first client-side sign-on module 
includes receiving an active content module, wherein the 
active content module includes one or more of a plug-in 
module, a JAVA applet, and an ActiveX component. 

30. The computer-readable medium of claim 29 further 
comprising instructions for performing the steps of: 

the first client-side sign-on module responding to said 
second client-side sign-on module by determining 
whether a signature associated with said second client- 
side sign-on module indicates that said second client - 
side sign-on module is from a trusted source; 

if said signature associated with said second client-side 
sign-on module indicates that said second client-side 
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sign-on module is from a trusted source, then said first 
client-side sign-on module supplying said second 
client-side sign-on module with said master authenti- 
cation information. 

31. The computer-readable medium of claim 28 wherein s 
the first client-side sign-on module performs the step of 
generating said first server-specific authentication informa- 
tion based on data associated with said first site after 
extracting said data associated with said first server from the 
CodeBase of said first client-side sign -on module. 10 

32. The computer-readable medium of claim 24 wherein 
the step of generating said first server-specific authentication 
information includes generating said first server-specific 
authentication information based upon a secure one-way 
hash function. 15 

33. The computer-readable medium of claim 32 further 
comprising instructions for performing the steps of: 

said second client-side sign-on module detecting said first 
client-side sign -on module in said client; and 

said second client-side sign -on module requesting said 20 
master authentication information from said first client- 
side sign-on module. 

34. The computer-readable medium of claim 24 wherein 
said data associated with said first server includes one or 
more of a URL, an IP address, a software vendor number, 25 
and unique server identifier. 

35. The computer-readable medium of claim 24 wherein: 
said first server is a web server; 

the web server requests said first server-specific authen- 30 
tication information in response to a browser on the 
client transmitting over the World Wide Web a URL 
that identifies a restricted web page controlled by the 
web server; and 

the step of supplying said first server-specific authentica- 35 
tion information is performed by transmitting the first 
server-specific authentication information to the web 
server. 

36. The computer-readable medium of claim 21 further 
comprising instructions for performing the steps of: 40 

said client receiving a first request from said first server 
for said first server-specific authentication information; 

said client requesting a user to supply said master authen- 
tication information in response to said first request; 

said client storing said authentication information in 
response to receiving said master authentication infor- 
mation from said user; 

said client receiving a second request from said second 
server for said second server-specific authentication 50 
information; and 

said client performing the following steps without again 
requesting said user to supply said master authentica- 
tion information: 

generating said second server-specific authentication 55 

information; and 
supplying said second server-specific authentication 

information to said second server. 

37. The computer- readable medium of claim 36 further 
comprising instructions for performing the steps of: 60 

said client receiving a first client-side sign-on module 

from said first server; 
wherein said first client -side sign-on module performs the 

steps of: 
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generating said first server-specific authentication 

information for said first server; and 
supplying said first server-specific authentication infor- 
mation to said first server; 
said client receiving a second client-side sign -on module 

from said second server; 
wherein said second client-side sign-on module performs 
the steps of: 

generating said second server-specific authentication 
information for said second server; and 

supplying said second server-specific authentication 
information to said second server. 

38. The client-server system of claim 37 wherein said 
particular server is said first server. 

39. A computer-readable medium carrying one or more - 
sequences of instructions for authenticating users in a client- 
server system, wherein execution of the one or more 
sequences of instructions by one or more processors causes 
the one or more processors to perform the steps of: 

a server transmitting to a client a client-side sign-on 
module which, when executed at said client, generates 
server-specific authentication information based on 
data associated with said server and master authenti- 
cation information stored in said client; and 

said server receiving said server-specific authentication 
information from said client-side sign-on module as 
said client-side sign-on module executes on said client. 

40. The computer-readable medium of claim 39 wherein 
the step of transmitting said client-side sign-on module 
includes transmitting a client-side module that has encoded 
in its CodeBase the data, associated with said server, that is 
used in combination with said master authentication infor- 
mation to generate said server-specific authentication infor- 
mation. 

41. The computer-readable medium of claim 39 wherein 
said sign-on module is configured to ask a user of said client 
for said master authentication information if no pre-existing 
sign-on module is detected on said client, and to ask said 
pre-existing sign-on module for said master authentication 
information if a pre-existing sign-on module is detected on 
said client. 

42. A client-server system comprising: 
a client; 

a plurality of servers; 

a network operatively connecting said client to said 
plurality of servers to allow communication between 
said client and said plurality of servers; 

said plurality of servers including at least a first server 
configured to respond to a resource request issued by 
said client by sending to said client a sign-on module; 

wherein said sign-on module is configured to perform the 
following steps while executing on said client: 
retrieving master authentication information stored in 
said client, 

combining said master authentication information with 
server-specific data; 

generating server-specific authentication information 
based on said master authentication information and 
the server-specific data; and 

transmitting said server-specific authentication infor- 
mation to a particular server of said plurality of 
servers. 

***** 
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